ctblocker | 1278fce7d3446e34bc6c46b7262ddb63c34c848696d428a24c896b9c700c1203

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/10/2024, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uw Factuur 0092-0287492-39238.pdf.exe
Size

804KB
MD5

88a509f4974b099b9a18c97e93d23f6b
SHA1

215f031e777464de6a253be0c520c6ce815bdf88
SHA256

5930f3589545070d4ab4e09c857db89b9b60e882d12ee6dc0b7213e37d32a50e
SHA512

f9b378d7819f7087ef6abf276c59acf8b528d675e69f1da6d63b6690fb3d9f241c5702ae7e23f35bd21547bfe5e3202c2c5879326003caacc817d3ddc1b0cb4f
SSDEEP

12288:7W02CHYwXcuevg6KILXB6iVZdXlQgBI7SJrydLCf6WsfrZBIr5kei+o3cw5s7CRH:7ACHnXcEILxtZtSg+SBzf9uIuvMqkk

Score

10^/10

ctblocker defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

C:\ProgramData\cziklag.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation	jgdsooe.exe

Executes dropped EXE 4 IoCs

pid	Process
2636	jgdsooe.exe
868	jgdsooe.exe
1580	jgdsooe.exe
2628	jgdsooe.exe

Loads dropped DLL 6 IoCs

pid	Process
2644	Uw Factuur 0092-0287492-39238.pdf.exe
2644	Uw Factuur 0092-0287492-39238.pdf.exe
2636	jgdsooe.exe
2636	jgdsooe.exe
1580	jgdsooe.exe
1580	jgdsooe.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	svchost.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Warn If RGB.jsx	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\graphical.admonition.properties.xml	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\wmimplex.CNT	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Linker.dll	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\t21.png	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\goURL_lr_photoshop_it.csv	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\PriorityQueue.mi	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\error.png	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\caution.png	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Adobe-Korea1-H-CID	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\404.htm	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\error_1.png	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\404.htm	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\chapter_open.gif	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dsc_health_good_tile.png	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\403-18.htm	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\sgr.fca	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Steel - Stainless.3PP	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Linker.dll	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\inventory_2.png	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\graphical.admonition.properties.xml	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\PlanObj.java	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\goURL_lr_photoshop_tw.csv	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\figure.properties.xml	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Grayscale.act	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\figure.properties.xml	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\alert_alt.png	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AortaEndoderm.4	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\chapter_open.gif	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\t21.png	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Steel - Stainless.3PP	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Rabbinate.wMW	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dsc_health_good_tile.png	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\asyncqueue.js	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\callout.unicode.start.character.xml	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\component.label.includes.part.label.xml	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\error_1.png	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\closed.png	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\403-18.htm	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\head.js	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\caution.png	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dsc_backup_tile.png	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\asyncqueue.js	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\compare-with-callbacks.js	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\component.label.includes.part.label.xml	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\head.js	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\PriorityQueue.mi	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\PCDR_HUD_4_3.scheme	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Rabbinate.wMW	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AortaEndoderm.4	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\palm_alpha_0.png	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\palm_alpha_0.png	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\speaker_system.png	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\goURL_lr_photoshop_tw.csv	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Warn If RGB.jsx	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dsc_backup_tile.png	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\compare-with-callbacks.js	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\speaker_system.png	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\error.png	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\sgr.fca	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Grayscale.act	jgdsooe.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\403-16.htm	jgdsooe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\403-16.htm	jgdsooe.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-duymufc.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 1612	2644	Uw Factuur 0092-0287492-39238.pdf.exe	30
PID 2636 set thread context of 868	2636	jgdsooe.exe	33
PID 1580 set thread context of 2628	1580	jgdsooe.exe	38

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-duymufc.bmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-duymufc.txt	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uw Factuur 0092-0287492-39238.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jgdsooe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jgdsooe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jgdsooe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jgdsooe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uw Factuur 0092-0287492-39238.pdf.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001a485-57.dat	nsis_installer_1
behavioral1/files/0x000500000001a485-57.dat	nsis_installer_2

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1956	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	jgdsooe.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	jgdsooe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	jgdsooe.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{367eaf84-3d79-11ef-ac21-806e6f6e6963}\MaxCapacity = "14116"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00330036003700650061006600380034002d0033006400370039002d0031003100650066002d0061006300320031002d003800300036006500360066003600650036003900360033007d00000030002c007b00660039006300650037003300370065002d0033006400340031002d0031003100650066002d0062003700630034002d006400610039006500630062003900350038003300390039007d0000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f9ce737e-3d41-11ef-b7c4-da9ecb958399}\MaxCapacity = "2047"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f9ce737e-3d41-11ef-b7c4-da9ecb958399}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{367eaf84-3d79-11ef-ac21-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f9ce737e-3d41-11ef-b7c4-da9ecb958399}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{367eaf84-3d79-11ef-ac21-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1612	Uw Factuur 0092-0287492-39238.pdf.exe
868	jgdsooe.exe
868	jgdsooe.exe
868	jgdsooe.exe
868	jgdsooe.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	jgdsooe.exe
Token: SeDebugPrivilege	868	jgdsooe.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2628	jgdsooe.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2628	jgdsooe.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2628	jgdsooe.exe
2628	jgdsooe.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1196	Explorer.EXE

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1612	2644	Uw Factuur 0092-0287492-39238.pdf.exe	30
PID 2644 wrote to memory of 1612	2644	Uw Factuur 0092-0287492-39238.pdf.exe	30
PID 2644 wrote to memory of 1612	2644	Uw Factuur 0092-0287492-39238.pdf.exe	30
PID 2644 wrote to memory of 1612	2644	Uw Factuur 0092-0287492-39238.pdf.exe	30
PID 2644 wrote to memory of 1612	2644	Uw Factuur 0092-0287492-39238.pdf.exe	30
PID 2644 wrote to memory of 1612	2644	Uw Factuur 0092-0287492-39238.pdf.exe	30
PID 2644 wrote to memory of 1612	2644	Uw Factuur 0092-0287492-39238.pdf.exe	30
PID 2568 wrote to memory of 2636	2568	taskeng.exe	32
PID 2568 wrote to memory of 2636	2568	taskeng.exe	32
PID 2568 wrote to memory of 2636	2568	taskeng.exe	32
PID 2568 wrote to memory of 2636	2568	taskeng.exe	32
PID 2636 wrote to memory of 868	2636	jgdsooe.exe	33
PID 2636 wrote to memory of 868	2636	jgdsooe.exe	33
PID 2636 wrote to memory of 868	2636	jgdsooe.exe	33
PID 2636 wrote to memory of 868	2636	jgdsooe.exe	33
PID 2636 wrote to memory of 868	2636	jgdsooe.exe	33
PID 2636 wrote to memory of 868	2636	jgdsooe.exe	33
PID 2636 wrote to memory of 868	2636	jgdsooe.exe	33
PID 868 wrote to memory of 592	868	jgdsooe.exe	9
PID 592 wrote to memory of 1248	592	svchost.exe	34
PID 592 wrote to memory of 1248	592	svchost.exe	34
PID 592 wrote to memory of 1248	592	svchost.exe	34
PID 868 wrote to memory of 1196	868	jgdsooe.exe	21
PID 868 wrote to memory of 1956	868	jgdsooe.exe	35
PID 868 wrote to memory of 1956	868	jgdsooe.exe	35
PID 868 wrote to memory of 1956	868	jgdsooe.exe	35
PID 868 wrote to memory of 1956	868	jgdsooe.exe	35
PID 868 wrote to memory of 1580	868	jgdsooe.exe	37
PID 868 wrote to memory of 1580	868	jgdsooe.exe	37
PID 868 wrote to memory of 1580	868	jgdsooe.exe	37
PID 868 wrote to memory of 1580	868	jgdsooe.exe	37
PID 1580 wrote to memory of 2628	1580	jgdsooe.exe	38
PID 1580 wrote to memory of 2628	1580	jgdsooe.exe	38
PID 1580 wrote to memory of 2628	1580	jgdsooe.exe	38
PID 1580 wrote to memory of 2628	1580	jgdsooe.exe	38
PID 1580 wrote to memory of 2628	1580	jgdsooe.exe	38
PID 1580 wrote to memory of 2628	1580	jgdsooe.exe	38
PID 1580 wrote to memory of 2628	1580	jgdsooe.exe	38

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:592
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:1248

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1196
- C:\Users\Admin\AppData\Local\Temp\Uw Factuur 0092-0287492-39238.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Uw Factuur 0092-0287492-39238.pdf.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\Uw Factuur 0092-0287492-39238.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Uw Factuur 0092-0287492-39238.pdf.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1612

C:\Windows\system32\taskeng.exe
taskeng.exe {98A6B568-9B7B-4849-B8CB-667176108CB8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\jgdsooe.exe
  C:\Users\Admin\AppData\Local\Temp\jgdsooe.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\AppData\Local\Temp\jgdsooe.exe
    C:\Users\Admin\AppData\Local\Temp\jgdsooe.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows all
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\jgdsooe.exe
      "C:\Users\Admin\AppData\Local\Temp\jgdsooe.exe" -u
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Users\Admin\AppData\Local\Temp\jgdsooe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jgdsooe.exe" -u
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\stwsoge

Filesize
654B

MD5
2c627e4d79520dbcde90b043aa1ebd70

SHA1
59de5b23ec10034ade6dfeb90e002e525f43796c

SHA256
af87218b2dae0acfe1d9033a0c7dbe1235604c77745adc41d8133c70c7073484

SHA512
ada2ab4d5a2913c753e9e1c4115b5902f2e27cc1ba0807b392e2098316bb6866337073f656511fc972256e5f9c73826ab4862d734b6d2f9d206f8b6bb8548ae3

Download Submit
C:\ProgramData\Microsoft Help\stwsoge

Filesize
654B

MD5
064fa884fdb505121482e74438b7403f

SHA1
190bba2be11cdec0447b3f113803732c1ccc2233

SHA256
9c1a68e3aa6da9e7f0c1b82186538dfc476b5c319a39445fab033c10f61b6818

SHA512
56bde6698a61e182c1b893c7ccd6d0f0b6025e0498757b8367cde9658962d2714424feb08b5ed97e84c1ada44b81227373a7051bdd4e5d0b6588146867bf72d3

Download Submit
C:\ProgramData\Microsoft Help\stwsoge

Filesize
654B

MD5
d110f208aa692c35fcab018a7ce24ee7

SHA1
8980a38019bec9d2426dcc7f3697a491568dc8c5

SHA256
ae70ad7533bdee74b1c78a6495582e6a114feb3fcc0e40165da75226aaef2424

SHA512
8e20a2db7ae904d7fdfba9b860f7f5536850d234eed82c0734bb957764fb3f8f1be52ff86bf073e9835917845f2e75aac45833f10e560f1cf82a812b9da7b890

Download Submit
C:\ProgramData\cziklag.html

Filesize
63KB

MD5
18e753e27eaef94285f429a621209836

SHA1
20009ea453aaaa7557bed1f1b651060e4557f66d

SHA256
09b80881f6d7481d8f51b882a92e75afbc9d0649923bae6838ed4ddfdad69f38

SHA512
50525fd191893dfe82cffebad03d966afc11c46ccf2e7aa50a7c0c1371db7eb28c176d320ad96a358a2f84e2ccdd7b405f31db653729f2106911611f26745a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgdsooe.exe

Filesize
804KB

MD5
88a509f4974b099b9a18c97e93d23f6b

SHA1
215f031e777464de6a253be0c520c6ce815bdf88

SHA256
5930f3589545070d4ab4e09c857db89b9b60e882d12ee6dc0b7213e37d32a50e

SHA512
f9b378d7819f7087ef6abf276c59acf8b528d675e69f1da6d63b6690fb3d9f241c5702ae7e23f35bd21547bfe5e3202c2c5879326003caacc817d3ddc1b0cb4f

Download Submit
C:\Users\Admin\AppData\Roaming\asyncqueue.JS

Filesize
4KB

MD5
97c2cce0b8038bd21abaf457b50f8112

SHA1
ac6fc6496817e98c7701fc9afc5e0b6eb78d74bb

SHA256
f59ee97d7d97c887e5da91778ce8d3583b1e448680581e1796312d017e699059

SHA512
874ff6ce0ca3ed1a57e379e91a9ff94e3893b3ceb9e7c1b6bf715565347c14e3e8b8a3bdeb86ae55a9ce9d67eeb3dd6289e63b756dbb4b1db91ef08a88798fc3

Download Submit
C:\Users\Admin\AppData\Roaming\compare-with-callbacks.JS

Filesize
1KB

MD5
2c6f5684ce8e64e2ac4d106ec6c361dd

SHA1
78f431b04243778cf02f29c63ec1f10e464bde6a

SHA256
1d552bba9fdb2557c0a0b55c79eb322852df0e6a0bcb3b48cfbdd335f32b3552

SHA512
0e53cd5e0c943e9c2014b8b778811b4aa83610347f7156ef4b5f616a13a7d29552f72087fe8a956c1c9464af224dcf113232d65e913049e8be8966aa7f2887a6

Download Submit
C:\Users\Admin\AppData\Roaming\head.JS

Filesize
25B

MD5
19ebe25a2df3c27bfc3c692ba7ce9158

SHA1
f7f5514d24f03611b055af2fc9a541ecf579142e

SHA256
f5f9b7e1859d47775dfe65573624e84f1e2d6f9c2a3a08f684b8148cefb720e8

SHA512
76c4e82aa9bf6d64c956788eacb9c8bc13db2e626c44a548ab7a49dda9569ea06b48dc46b92e725ce2ab4a7a7124cf01565923adbc7a4c529ac429184639659b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\403-18.htm

Filesize
1KB

MD5
56dc72e6d4312b109ec4862c045d00d6

SHA1
35cb8a074b875326de6d4206feb631479c47e782

SHA256
0246ad30d0589512453a988e290c7c0a3d3a74dfaa7213f3716ef3ebf7c0b4d3

SHA512
7c7a1b996fec2e28b30533b297517bd5d621f0b7beac69b87c08742146028c6dfc9e34f3e391226d72f7723e54a3833877dca09b820299497ea7167395f1869b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\404.htm

Filesize
1KB

MD5
c9bc5da6fd95dd59b3d1e69c3bc97d40

SHA1
ff4b92b0c8d12a77d12853be583c85fad9b4ebd7

SHA256
cd201762f1c25dc56952abcb7d09a2463aca29a67872ea1cf732ca244a66867e

SHA512
2677a2cf9f066afb73f2cade9840655c9e592273d2870b74bd1d28f9a899e10a47d127871f9b7f0e817e7bfb93ace30bb62c90a66001eed6ca75bbe29682d156

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AortaEndoderm.4

Filesize
1KB

MD5
a88ef914e52cf1ffe510701425e937df

SHA1
b192efc9c4389ee475d5a020c7113d1116576743

SHA256
1e55c3c596abad16c43bc6ce3104672d629b9c766d750580cc9a0bf22fabb03f

SHA512
600d9a0fbb7130f908f1a64288def37197a4d3e59489afc051eb8db085f71886f089917592b20260a06d01d217e826c854af445d884bea4ba8b68542c76ba362

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Grayscale.act

Filesize
772B

MD5
2ce81a3cc84b5269c1ac1fa076fd3810

SHA1
2f46aa44381ece540573257a59b1ff03977455d0

SHA256
fe468943559318a5108b2f74f642f1e2405e2eab23f37d14dc83c41f195e6af2

SHA512
d6911f56347566c13302e33f5dce0d740b4752986c2daef04f6a58e29fa94053496b41bf5f3aaa51e730ac1b2be0316e60ef9fcc7822ab049b8379b64cf34edd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\PriorityQueue.mi

Filesize
3KB

MD5
216ac955299235967e6acff2d142f90e

SHA1
0eb63a15b7e5e132ef5d7b8f35000c19c1e4914f

SHA256
3f8a4c058009b40c2c9db0a2742904419b3f83ace1a161fcd4535f4537618e36

SHA512
3c5cc8b586ca7586ed33745985760bf1b986932505696c63c7fef00785409cc312daa6de584e41521cebca1355c2d4e2cbacb3a8556015026547f169c7b0afe7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Steel - Stainless.3PP

Filesize
1KB

MD5
1c634fd7fb3cd9c2224c078f9eeefc69

SHA1
17eb93d49502653e3307cd8d40ecfd95b8b86e00

SHA256
1b70f3602cbf38c812e09cdac1dcd05da89f94418d09c4bebf4174a1f7bf9585

SHA512
1c965706c6512e188e15e53afc33bfd202e8685b58724f1747073cfe9d02c62bbaaf4db6f6764572c707035582115f11f711b6e26ceee3f9048f0fdbd9199a3e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Warn If RGB.jsx

Filesize
3KB

MD5
ae91301a596819d2abe479e3d5bcf3f7

SHA1
c1effcc1b453ee3060d95334fae707d309732dee

SHA256
866ac76bce63b709c4a74c8ddeeb943064b51834abcb84994c9e49f66a42195c

SHA512
0cf8612875d2f5e4b75df043ee450ffa4f6091ab9a6b5d4dab851757c31a86c3edbb4385a59f4a7c2ac3c6926d6309529c92cb0c7d0e3c4f0f907e6fe48767d9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\alert_alt.png

Filesize
1KB

MD5
f1e7e527a5440044e05eaac629619e7d

SHA1
04320a6c16c5d0e07c931fbc118683dacae8eae1

SHA256
517b4d1320bb728dea51edfe782d9eed3474c38398d984ec61e3ee792c26bf34

SHA512
e93e2a57362cbcf3ce542b578ac65e27e56772a22e26e169238428d26ebcba8970264ab4e174a1a43b23a6815978235fcb1fc526b9ef8f7de1a7c6a3af37f9cd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\caution.png

Filesize
887B

MD5
c81b5317d4908545f44864fce61f1851

SHA1
2845725264796608d781187d95d7d41ab872dea5

SHA256
e9faf89885257ccdf9b9cdea3c4104079977d43d907fd948f4c1526aee0c923a

SHA512
f1cfa4d3aaa99bfcd51fd39314b75547e5ba26df5daf3ca432d95941e42099b5e429367ee80caae0f4e00ce5a62a4e5c4eea9e7b4deddc82c68ba7fe382a51e8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\component.label.includes.part.label.xml

Filesize
1KB

MD5
59159241399b141689dfb8bcd7a97687

SHA1
cec2775a0afc540b4593cb616b1c6ce43ea2c7c3

SHA256
94122f4fa60f0c0a794c1f48ba7739bfbbba944fb2465b1c37bcd00bad358907

SHA512
7b12619fb230871fde5649fcac0487fb082de6139234de2a57bd6c40999e93b8217b015ec081cbbc3c80cc2803f990dedefdf84d0fa40e817ff2e607adcd66ae

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dsc_backup_tile.png

Filesize
3KB

MD5
beb396b92b562044ba2a79aac9dc3f03

SHA1
55c9d9f618771539b48ee31caac008cf2256c48a

SHA256
5aca0d04f8792e6feadb2179cd7470efe5c8aa622217613f3a0a5b2d23f73d85

SHA512
2a1b8c00d71fad6e16682893db2fc62a17d99ea8409efcc559464a32bcf6de46e5ab3a1cc69f77587d5b6142b344b517dc10c7434a99aedf45d684662ca46070

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\error.png

Filesize
1KB

MD5
1d1b1d388440bb5e2cdd4f4faa885716

SHA1
db102db4952cbb019575f9e9e8dbb46599e21d69

SHA256
f684fb3e456e1b76256fb7a210575a7a5701d18defa60e8e5ea9eee2881c5cbd

SHA512
33c05c70aef42e944abda76ddbdc1499d16544d94c5f2d3a1deccf9b91383077c52160ba9811f0136dd64dda292fea242b91cd68b1bf9c3ace01866da2e374fb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\goURL_lr_photoshop_it.csv

Filesize
518B

MD5
721b165d59b4fb4963d72ee30e0bb528

SHA1
c86e55ac72145e3fa7f477934b0530c9ecf5832c

SHA256
7ddcde24717074d4947fba773cf40f4aaabc007c721a8dad73fa49611922ca03

SHA512
ab4f7b2253098bc80f38fc814061e87fbeedca25f23a1e425e50910e36432bea74ec2e6856de4f3adbff380b4f6b7e44d7e022e6442b3a4b680f0939e5dd8b22

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\goURL_lr_photoshop_tw.csv

Filesize
315B

MD5
a495dbfcf4b0a3d3c31fb66ae38d372b

SHA1
8e4f6d1a038404df23ed5ec0ea78e33620ae50ed

SHA256
ab450cefc9d7dc3db5204e235475bc8168c064019b81d4c582c7cb3eb718a642

SHA512
3439f9cefb4c7337f8a203fb2ff225104657fcb20771c54896f75e83f6bc76c6e91ffb2952d209a3ab17cc904223185d0d8da3db4fddaae4a8430b2438294eae

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\inventory_2.png

Filesize
1KB

MD5
6442c313e40885c47ac01d0e433fdc5d

SHA1
dddeee37bb621a2ee59ecceacd626bc83c0750c4

SHA256
985468cf92e095bd5f2d4e210a4285d01b07b77b26989427f3172498d8197632

SHA512
e4d6821dcf953ed4081f6cf9554b6956bbf9408ce240810ae083249f170df0e92aaeaabb012d69e96aeb5f65b9d351e2ca19ebdac8d015b3cfac1035520c5b8d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\palm_alpha_0.png

Filesize
2KB

MD5
d07b4c478fe0bbf228844214eaa2c4dd

SHA1
31c2997444ca4939c66ce58f14b175127a0c9dc8

SHA256
320afddc24a28690d50c1ff09305a93f3bd4972981f76d6af688328d6a788a23

SHA512
062266e7915db75bc2d415168aa2ae4fbc6771b5dca4bfe88af1d029b323f38aca8d07d179bef10ad557f9e44d86c2d3c0dcf74957e17e861c158626ee1c53cb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\speaker_system.png

Filesize
1KB

MD5
c01f89dc4104276efafdb2c54eb96623

SHA1
b4bcddeaf49a11be86633652a40eff99d5063c9f

SHA256
8ac76e6e7f12ca2f2d3b2a544879c7bf711200987cdc7024b636b1ee2bf0368f

SHA512
98cb18158230973b86ea97871a85b50a8cf1927f2abd1095980563b673af2fe813974a26b10b97c1068039e6fcc9845f4c7e5ae96a649cbbc7899edb023dacbb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\t21.png

Filesize
1KB

MD5
b5cf827e091773ed84be06ecf2cf9966

SHA1
9c9e6132f17a119215c9b4887b1eb9ef116e8f4c

SHA256
23945722bf5e84a77946e3c7441877edb69960ee46f5432ba330e98b0b45735e

SHA512
f7f65af7c9c8d2d8ca64e5466e022eb9e8bc4f34e6546948d6e9c892d878c6cb5987be2c28e871d0a5edb7bee85b6b14c7ef700f36e516a222c07e087b18b825

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\wmimplex.CNT

Filesize
1KB

MD5
d335f72da6671c0f185f56118bfe6784

SHA1
700eefb07dedfbc0db8caa4236ca39d10ca84228

SHA256
a1cf001973dea0f1c7854278762607d1f3162d9563a0a2febe31793055acf20a

SHA512
427fb907d3381d432f60ee04e0cc90b96daaf7f0e5015fdaf78e7889f009e164a20952d118ced882fe692e09dd67af8798627a3ecb574952fa43f40dbd6487a0

Download Submit
\Users\Admin\AppData\Local\Temp\nsj30E.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
\Users\Admin\AppData\Roaming\Linker.dll

Filesize
20KB

MD5
d4347e5ece1d7cc8a2fffb1afef7ea32

SHA1
4a656426fdc156a914494cef7f8fc437d6ca28dc

SHA256
6f7a21dd4e3539e81113a54f5f1ab70fb3e5457033e923fbb95fdb80b7c433cd

SHA512
0923dd987ef862f4341643627c68fdf276a749aa647c29509d72ec9ee77accb79a5fde7e1387696534e096c8c1714ce694c9c826faff2a06178b7068e7d48d56

Download Submit
memory/592-1351-0x0000000000520000-0x0000000000597000-memory.dmp

Filesize
476KB

Download
memory/592-118-0x0000000000520000-0x0000000000597000-memory.dmp

Filesize
476KB

Download
memory/592-120-0x0000000000520000-0x0000000000597000-memory.dmp

Filesize
476KB

Download
memory/592-126-0x0000000000520000-0x0000000000597000-memory.dmp

Filesize
476KB

Download
memory/592-121-0x0000000000520000-0x0000000000597000-memory.dmp

Filesize
476KB

Download
memory/592-117-0x0000000000520000-0x0000000000597000-memory.dmp

Filesize
476KB

Download
memory/592-128-0x0000000000520000-0x0000000000597000-memory.dmp

Filesize
476KB

Download
memory/592-132-0x0000000000520000-0x0000000000597000-memory.dmp

Filesize
476KB

Download
memory/592-124-0x0000000000520000-0x0000000000597000-memory.dmp

Filesize
476KB

Download
memory/592-131-0x0000000000520000-0x0000000000597000-memory.dmp

Filesize
476KB

Download
memory/868-107-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/868-113-0x0000000000850000-0x0000000000A9B000-memory.dmp

Filesize
2.3MB

Download
memory/868-1363-0x0000000000850000-0x0000000000A9B000-memory.dmp

Filesize
2.3MB

Download
memory/1612-55-0x0000000000BF0000-0x0000000000E3B000-memory.dmp

Filesize
2.3MB

Download
memory/1612-53-0x00000000009D0000-0x0000000000BEA000-memory.dmp

Filesize
2.1MB

Download
memory/1612-54-0x0000000000400000-0x00000000004A4600-memory.dmp

Filesize
657KB

Download
memory/1612-52-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1612-46-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1612-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1612-50-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1612-44-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2628-1468-0x0000000000850000-0x0000000000A9B000-memory.dmp

Filesize
2.3MB

Download